Paper: Alternative communication channel over NTP

Posted by Martijn Grooten on Apr 24, 2019

The use of DNS as a covert C&C communication channel has been widely documented and is fairly prevalent in the wild. Last week, Palo Alto Networksanalysed its use in the various tools of Iran's OilRig (APT34) group.

But DNS is not unique in this. As long ago as 2006, ICMP packets were being used in a trojan to exfiltrate data.

Another protocol that opens up the ability for C&C communication is NTP, the protocol used for clock synchronization.

Today, we publish a paper by researcher Nikolaos Tsapakis who looked at the possibilities of NTP packets carrying data and what can be done to detect this use of NTP.

Over the last few years SE Labs has tested more than 50 different security products against over 5,000 targeted attacks. In this guest blog post Stefan Dumitrascu, Chief Technical Officer at SE Labs, looks at the different attack tools available, how…

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.